On Tue, Jun 30, 2020 at 10:41:28AM +0200, Borislav Petkov wrote: > On Mon, Jun 29, 2020 at 11:00:55PM -0700, Sean Christopherson wrote: > > E.g. the vDSO function should get the fixup even if userspace screws > > up mmap() and invokes __vdso_sgx_enter_enclave() without being tagged > > an SGX task. > > I sincerely hope you don't mean this seriously. > > Please add a member to task_struct which denotes that a task is an > sgx task, test that member where needed and forget real quickly about > running *any* *fixup* for unrelated tasks. But IMO they're not unrelated if they end up in __vdso_sgx_enter_enclave(). Getting to the point where __vdso_sgx_enter_enclave() actually attempts ENCLU (the single fixup entry) requires a very deliberate attempt to run an enclave. Not to mention the fixup doesn't squash the fault, it simply morphs what would be a signal into a synchronous error. And I don't see how to sanely track this in task_struct. As stated before, the only foolproof way to identify an SGX task is by tracking whether it has a VMA backed by /dev/sgx/enclave, i.e. the flag would probably need to reside in mm_struct. Keying off opening /dev/sgx/enclave isn't viable as enclaves can be handed off via SCM_RIGHTS or fork(). Putting a flag in mm_struct is doable, but it would need to be sticky to keep things sane, e.g. clearing the flag on unmapping the enclave would require refcounting VMAs and hooking vm_ops->close. The refcounting is painful (we had it for several years) and ->close prevents merging VMAs, which IMO is far worse than unconditionally morphing fault-based signals that originate in __vdso_sgx_enter_enclave(). And assuming we don't do the whole ->close thing, we'd end up with MADV_DONTFORK -> fork() having divergent behavior for mm_structs without /dev/sgx/enclave VMAs, i.e. the child of MADV_DONTFORK -> fork() case would not be tagged SGX (unless we intentionally do the "wrong" thing and propagate the flag), whereas the munmap() case would result in a SGX-tagged mm_struct with no /dev/sgx/enclave VMAs.
